Getting Data In

Visualization that takes into account time of day

myoung54
Explorer

Hey all,

So I'm kind of scratching my head on this, and any kind of guidance would be extremely helpful!
Alright, so I have a dashboard with a stoplight visualization that looks at volume of a particular thing. Volume high=Good, Volume low=Outage, and anything in-between = Degraded. I have it working perfectly fine now, but my company is 24/7 and volume is not at the same levels at night as it is during the day, so what's happening is that at night volume drops and the dashboard shows "outage" but there really isn't an outage, volume is simply lower because it's night time.

Is there anyway I can add something to the query to factor in the time of day? Or should I be going about this a completely different way?

index=aries* sourcetype=aries-main RealtimeAccessLobby host=dtlprdart*  OR host="aglprdart*" md=10 ty=* 
| eval error=coalesce(ei, ec, stccode, aaacode, " Success") 
| eval er=case(et="HIPAA", ".Reject", error!=" Success", "Fail") 
| eval Status=coalesce(er, error) 
| eval cnt=1 
| table _time, Status, cnt
| append [search index=oracle | eval Status=".Reject" | eval cnt=0 | head 1 | table _time, Status, cnt] 
| timechart span=1m sum(cnt) by Status
| addtotals labelfield=Total
| eval TotalRate=(Total/100)
| fillnull TotalRate value=0
| eval Warning=case(TotalRate<10,"Outage", TotalRate>10 AND TotalRate<27,"Degraded", TotalRate>27,"Good")
| eval Status= case(TotalRate<10,"times-circle", TotalRate>10 AND TotalRate<27,"exclamation-triangle", TotalRate>27,"check-circle")
| eval color=case(TotalRate<10,"#FF0000", TotalRate>10 AND TotalRate<27,"#ffff00", TotalRate>27,"#65a637")
0 Karma
1 Solution

to4kawa
SplunkTrust
SplunkTrust
 ....
| eval day_night=strftime(_time,"%H")
| eval Warning=case(TotalRate<5, "Outage",TotalRate<10 AND (day_night >7 OR day_night<19 ) , "Outage", TotalRate>10 AND TotalRate<27,"Degraded", TotalRate>27,"Good")
....

hi, @myoung54
like this, please add daynight condition.
and so,
| fields - day_night if you have a problem.

View solution in original post

0 Karma

to4kawa
SplunkTrust
SplunkTrust
 ....
| eval day_night=strftime(_time,"%H")
| eval Warning=case(TotalRate<5, "Outage",TotalRate<10 AND (day_night >7 OR day_night<19 ) , "Outage", TotalRate>10 AND TotalRate<27,"Degraded", TotalRate>27,"Good")
....

hi, @myoung54
like this, please add daynight condition.
and so,
| fields - day_night if you have a problem.

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You're looking for adaptive thresholding. See my previous answer on this

https://answers.splunk.com/answers/590464/how-you-detect-an-anomaly-from-a-time-frame-the-pr.html

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!